Governance, risk management and compliance (GRC) are the building blocks of a robust internal control environment, and financial firms are realising that to meet stakeholder obligations and achieve commercial goals, these competences must be managed in a broader way.
This is because compliance risks are only one part of the challenge. Firms need to balance their legal, regulatory, operational, investment and commercial obligations against the onslaught of changing supervisory expectations – expectations that have been driven by a handful of bad actors in the market.
Thanks to the global nature of many of these challenges to financial system stability, we are now seeing unprecedented regulatory convergence, co-ordination and action on emergent risks. This acceleration of regulatory change creates real challenges for small-and-medium sized investment firms. Those firms who can adapt to the challenge will do so by being able to manage their obligations more effectively. Firms need to monitor and step up to match supervisory expectations.
Supervisory trends point to more change
Hong Kong is seeing an unprecedented focus on enforcement of market conduct issues, while on the audit front, there is an increasing emphasis on internal control issues. In the last quarter of 2016, roughly one-third of SFC (Securities and Futures Commission) audit findings were internal control weaknesses, followed by Code of Conduct issues (20%) and anti-money laundering concerns (10%), according to its quarterly report.
Regulators globally have been moving in a similar direction. In order to manage their resources effectively, financial services supervisors are focusing policy development efforts on higher risk areas and high impact firms. They are also recognising the need to adapt more quickly to emerging threats. In Hong Kong, the SFC is increasingly clear at telegraphing specific expectations, and its general direction of travel, in much more effective manner.
Bumps in the road
However, the guidance provided to Hong Kong firms could be described as a “one size fits all” approach. Guidance is often not written with a firm’s type, risk profile or size in mind and therefore firms can be unsure about how to evolve their compliance infrastructure to maintain the right compliance/risk balance.
To take a sustainable approach to regulatory change, firms need practical and effective tools and techniques to deal with increasing compliance and operational requirements in today’s highly competitive business environment.
For example, emergent, growing and incubating firms are being required to do a lot more with less, as the concept of proportionality seems to be diluted in favor of giving entities time to establish infrastructure that complies. This leads some into believing, incorrectly, that controls can be created the day before regulators arrive. Proportionality has never really meant less control or lower requirements – and now this concept is being supplanted for firms of all types, internal controls will need to be maintained by a more intelligent GRC infrastructure.
Delivering the new MIC regime in a risk-based framework
With the new MIC (Manager-in-Charge) regime and proposals on fund management rules, the trend of more regulation of the investment industry in Hong Kong continues.
This creates a challenge. Most firms don’t have the resources, or inclination, to devote to continuing changing rules and responsibilities. Especially not at the expense of satisfying their investors. While regulators, in turn, are being driven by the need to react to – and prevent – emerging risks such as cybercrime.
Regulators are taking different approaches, moving away from being too prescriptive towards guidance to providing flexibility for firms to make decisions based on their commercial context. This is a good approach on paper, but in practice creates a divide between larger firms and the rest of the investment industry. Large firms consult with each other, and regulators take their lead when developing guidance. Naturally, as a result this guidance is often not relevant for the majority of the industry, which is smaller in scale and doesn’t have a voice.
In many cases, regulatory guidance, in an attempt to be ‘catch-all’, doesn’t provide clear paths to compliance for small and medium-sized firms. For those firms, sometimes the guidance can create more questions and challenges about on how to comply.
MIC – threat or opportunity?
With MIC, the SFC has further augmented the accountability of senior management, targeting eight core functions. This approach may be a relatively blunt instrument for a large proportion of partner-managed firms. However, there is opportunity here too. The process of documenting responsibility can enable small-to-medium sized firms to better visualise and improve their accountability structure across their entire firm, and reduce risk as a result.
This is because the recent introduction of more focused responsibility through the MIC – as well as the direction of travel indicated in the Proposals to Enhance Asset Management Regulations – illustrates how far the compliance function has developed.
Today, in-house compliance teams need to have less direct responsibility for achieving compliance. By reallocating responsibilities, the compliance team can devote its time and resources to ensuring the business units – the first line of defense – and other functions are undertaking the activities they need to do. This can often require some careful negotiation of responsibilities.
For example, often start-ups which hire operations people see them quickly inundated with operational compliance obligations. This can happen to such extent that paralysis can set in early for individuals who may not have had appropriate and prior experience. On the flip side, compliance team members can quickly become overcome with operational jobs.
In the day-to-day struggle, it can be difficult to effectively draw the kind of responsibility lines that seem to be expected under MIC. Effective guidance is necessary to understand what is compliance and what is operational, what is a business job versus what a control operation is, and how small-to-medium firms can structure the responsibilities while maintaining appropriate segregation.
There are other challenges too. Under the MIC regime, “operational control and review” and risk management have been redrawn as separate and distinct functions, although the MIC guidance highlights that risk management incorporates both operational and investment risk controls. Taking into account the requirements of segregation of duties reiterated in the internal guidelines, some may consider it impossible for senior managers in small-to-medium sized firms to operate and satisfy those requirements with current resources. How can firms demonstrate covering all those responsibilities and ensure segregation of duties without having to spend much more money and time?
The answer is relatively simple if the firm adopts a few simple GRC techniques, as well as appropriate record keeping. Firms don’t need an oversized compliance effort if they can rethink, reorganise and retool.
Adopting a risk-based approach
The SFC Risk and Strategy Unit published two papers highlighting that corporate governance, risk governance, risk culture and risk management are often used interchangeably. Both pieces argue that to quantify effectiveness of corporate governance, licensed corporations should deploy risk measurement tools in daily compliance and risk monitoring processes. The recent consultation on asset management has provided even more direction.
Adopting a risk-based approach to manage GRC is steadily becoming the norm in successful firms. As complexity increases, using a risk-based approach can help focus attention and resources on the areas of more substantial challenge for the firm. This can help prioritise the ever-increasing requirements and ease increasing costs.
Using risk management techniques allows firms to address governance, risk, compliance and internal control while simultaneously maintaining the necessary levels of segregation of duties. The approach involves classifying different holistic risk factors into different risk rating buckets. Then, the firm makes management resource allocation decisions in the very same way that investment decisions are made.
This self-review exercise does not need to be complicated. Firms should simply consider their risk profile on a regular basis, and decide whether they feel comfortable in discharging their duties with the resources they have.
Risk-based methodologies gained traction under capital adequacy-based regulatory models that sought to ensure banks and other financial institutions had put aside resources to address unforeseen challenges. Firms were encouraged to prioritise the risks they needed to address by regulators, once they had identified what those risks were.
Today, firms that can demonstrate robust and dynamic risk management can save money both on capital restrictions and on avoiding costly oversights/errors. They can demonstrate to the regulator how interest is aligned between the main stakeholders. Over time, the effectiveness of the risk-based approach has seen it spread to adjacent GRC disciplines, including AML, market abuse, and cyber risk.
For the full article please here
Derek McGibney is managing director, Asia, at Cordium